Role types
Consider the following key differences between the different role types when you assign roles:
- ClusterRole: a Kubernetes RBAC role at the cluster scope in admin or user clusters.
- Role: a Kubernetes RBAC role at the namespace scope in admin or user clusters.
- ProjectRole: a custom resource definition (CRD) with permission defined
and is bound to user clusters and namespaces. Project roles propagate to
user clusters as a
Role
. - ProjectClusterRole: a CRD with permission defined, that propagates to
all user clusters as a
ClusterRole
there.
The tables of this section describe different predefined roles and their permissions. The tables contain the following columns:
- Name: The name of a role displayed in the user interface (UI).
- Kubernetes resource name: The name of the corresponding Kubernetes custom resource.
- Level: The specification of whether this role is scoped by the organization or a project.
- Type: The type of this role. For example, some possible values are
Role
,ProjectRole
,ClusterRole
, orOrganizationRole
. - Binding type: The type of binding that you must apply to this role.
- Admin or user cluster permissions: The permissions that this role has for admin or user clusters. For example, some possible values are read, write, read and write, or not applicable (N/A).
- Escalates to: The specification of whether this role escalates to other roles or not.
Predefined identity and access roles tables for PA and AO
The following tables provide details about the permissions assigned to each predefined role. There are separate tables for each persona:
PA Persona, predefined identity and access roles
PA persona | ||||
---|---|---|---|---|
Name | Kubernetes resource name | Initial admin | Level | Type |
Organization IAM Admin | organization-iam-admin |
True | Organization | ClusterRole |
AI Platform Admin | ai-platform-admin |
False | Organization | ClusterRole |
Billing Viewer | billing-viewer |
False | Organization | ClusterRole |
Bucket Admin | bucket-admin |
False | Organization | ClusterRole |
Bucket Object Admin | bucket-object-admin |
False | Organization | ClusterRole |
Bucket Object Viewer | bucket-object-viewer |
False | Organization | ClusterRole |
DR Backup Admin | dr-backup-admin |
False | Organization | ClusterRole |
DR System Admin | dr-system-admin |
False | Organization | Role |
Flow Log Admin | flowlog-admin |
False | Organization | ClusterRole |
Flow Log Viewer | flowlog-viewer |
False | Organization | ClusterRole |
GDCH Restrict By Attributes Policy Admin | gdchrestrictbyattributes-policy-admin |
False | Organization | ClusterRole |
GDCH Restricted Service Policy Admin | gdchrestrictedservice-policy-admin |
False | Organization | ClusterRole |
IdP Federation Admin | idp-federation-admin |
False | Organization | Role |
KMS Rotation Job Admin | kms-rotationjob-admin |
False | Organization | ClusterRole |
Log Querier | log-query-api-querier |
False | Project | Role |
Org Network Policy Admin | org-network-policy-admin |
False | Organization | Role |
Organization Backup Admin | organization-backup-admin |
False | Organization | ClusterRole |
Organization IAM Viewer | organization-iam-viewer |
False | Organization | ClusterRole |
Organization DB Admin | organization-db-admin |
False | Organization | ClusterRole |
Organization Upgrade Admin | organization-upgrade-admin |
False | Organization | ClusterRole |
Organization Upgrade Viewer | organization-upgrade-viewer |
False | Organization | ClusterRole |
Project Creator | project-creator |
False | Organization | ClusterRole |
Project Editor | project-editor |
False | Organization | ClusterRole |
SIEM Export Org Creator | siemexport-org-creator |
False | Project | Role |
SIEM Export Org Editor | siemexport-org-editor |
False | Project | Role |
SIEM Export Org Viewer | siemexport-org-viewer |
False | Project | Role |
System Cluster Backup Repository Admin | system-cluster-backup-repository-admin |
False | Organization | OrganizationRole |
Transfer Appliance Request Creator | transfer-appliance-request-creator |
False | Organization | ClusterRole |
User Cluster Admin | user-cluster-admin |
False | Organization | ClusterRole |
User Cluster Backup Admin | user-cluster-backup-admin |
False | Organization | OrganizationRole |
User Cluster Developer | user-cluster-developer |
False | Organization | OrganizationRole |
User Cluster Node Viewer | user-node-viewer |
False | Organization | OrganizationRole |
PA persona, predefined identity, and access roles
PA persona | ||||
---|---|---|---|---|
Name | Binding type | Org admin cluster permissions | User cluster permissions | Escalates to |
Organization IAM Admin |
ClusterRoleBinding |
|
N/A | Project IAM Admin and all other PA roles |
AI Platform Admin | RoleBinding |
AI platform user interface (UI): Read and write | N/A | N/A |
Backup Repository Admin | ClusterRoleBinding |
|
N/A | N/A |
Billing Viewer | ClusterRoleBinding |
SKU descriptions, machine inventory, fleets, invoices, and configs: Read | N/A | N/A |
Bucket Admin | ClusterRoleBinding |
Bucket and objects: Read and write | N/A | N/A |
Bucket Object Admin | ClusterRoleBinding |
|
N/A | N/A |
Bucket Object Viewer | ClusterRoleBinding |
Bucket and objects: Read | N/A | N/A |
DR Backup Admin | ClusterRoleBinding |
|
N/A | N/A |
DR System Admin | RoleBinding |
Secrets, buckets, roles, rolebindings, and service accounts: Read and write | N/A | N/A |
Flow Log Admin | ClusterRoleBinding |
Flow log resources: Read and write | N/A | N/A |
Flow Log Viewer | ClusterRoleBinding |
Flow log resources: Read | N/A | N/A |
GDCH Restrict By Attributes Policy Admin | ClusterRoleBinding |
GDCH restricted attributes policies: Create, edit, and delete | N/A | N/A |
GDCH Restricted Service Policy Admin | ClusterRoleBinding |
GDCH restricted service policies: Create, edit, and delete | N/A | N/A |
IdP Federation Admin | RoleBinding |
Identity provider configs and secrets: Create, read, update, patch, and delete | N/A | N/A |
KMS Rotation Job Admin | ClusterRoleBinding |
RotationJob resources: Create, read, update, patch, and delete |
N/A | N/A |
Log Querier | RoleBinding |
Log Query API project logs: Read | N/A | N/A |
Org Network Policy Admin | RoleBinding |
OrganizationNetworkPolicy in platform namespace: Create, read, update, and delete |
N/A | N/A |
Organization Backup Admin | ClusterRoleBinding |
|
N/A | N/A |
Organization IAM Viewer |
ClusterRoleBinding |
|
N/A | N/A |
Organization DB Admin | ClusterRoleBinding |
|
N/A | N/A |
Organization Upgrade Admin | ClusterRoleBinding |
Maintenance windows: Get, list, watch, update, and patch | N/A | N/A |
Organization Upgrade Viewer | ClusterRoleBinding |
Maintenance windows: Get, list, and watch | N/A | N/A |
Project Creator | ClusterRoleBinding |
|
N/A | N/A |
Project Editor | ClusterRoleBinding |
|
N/A | N/A |
SIEM Export Org Creator | RoleBinding |
SIEMOrgForwarder custom resources and secrets: Get, create, and read |
N/A | N/A |
SIEM Export Org Editor | RoleBinding |
SIEMOrgForwarder custom resources and secrets: Get, read, update, delete, and patch |
N/A | N/A |
SIEM Export Org Viewer | RoleBinding |
SIEMOrgForwarder custom resources and secrets: Read |
N/A | N/A |
System Cluster Backup Repository Admin | OrganizationRoleBinding |
Backup repositories: Get, read, create, and delete | N/A | N/A |
Transfer Appliance Request Creator | ClusterRoleBinding |
TransferApplianceRequest custom resource (CR): Read and create |
N/A | N/A |
User Cluster Admin | ClusterRoleBinding |
|
|
N/A |
User Cluster Backup Admin | OrganizationRoleBinding |
N/A |
|
N/A |
User Cluster Developer | OrganizationRoleBinding |
N/A | Clusters: Read and write | N/A |
User Cluster Node Viewer | OrganizationRoleBinding |
N/A | Clusters: Read | N/A |
AO Persona, predefined identity and access roles
AO persona | ||||
---|---|---|---|---|
Name | Kubernetes resource name | Initial admin | Level | Type |
Project IAM Admin | project-iam-admin |
True | Project | Role |
AI OCR Developer | ai-ocr-developer |
False | Project | Role |
AI Platform Viewer | ai-platform-viewer |
False | Project | Role |
AI Speech Developer | ai-speech-developer |
False | Project | Role |
AI Translation Developer | ai-translation-developer |
False | Project | Role |
Artifact Management Admin | artifact-management-admin |
False | Project | Role |
Artifact Management Editor | artifact-management-editor |
False | Project | Role |
Backup Creator | backup-creator |
False | Project | ProjectRole |
Dashboard Editor | dashboard-editor |
False | Project | Role |
Dashboard Viewer | dashboard-viewer |
False | Project | Role |
K8s NetworkPolicy Admin | k8s-networkpolicy-admin |
False | Project | ProjectRole |
KMS Admin | kms-admin |
False | Project | Role |
KMS Creator | kms-creator |
False | Project | Role |
KMS Developer | kms-developer |
False | Project | Role |
KMS Key Export Admin | kms-keyexport-admin |
False | Project | Role |
KMS Key Import Admin | kms-keyimport-admin |
False | Project | Role |
KMS Viewer | kms-viewer |
False | Project | Role |
Marketplace Editor | marketplace-editor |
False | Project | Role |
MonitoringRule Editor | monitoringrule-editor |
False | Project | Role |
MonitoringRule Viewer | monitoringrule-viewer |
False | Project | Role |
MonitoringTarget Editor | monitoringtarget-editor |
False | Project | Role |
MonitoringTarget Viewer | monitoringtarget-viewer |
False | Project | Role |
Namespace Admin | namespace-admin |
False | Project | ProjectRole |
NAT Viewer | nat-viewer |
False | Project | ProjectRole |
ObservabilityPipeline Editor | observabilitypipeline-editor |
False | Project | Role |
ObservabilityPipeline Viewer | observabilitypipeline-viewer |
False | Project | Role |
Project Bucket Admin | project-bucket-admin |
False | Project | Role |
Project Bucket Object Admin | project-bucket-object-admin |
False | Project | Role |
Project Bucket Object Viewer | project-bucket-object-viewer |
False | Project | Role |
Project NetworkPolicy Admin | project-networkpolicy-admin |
False | Project | Role |
Project DB Admin | project-db-admin |
False | Project | Role |
Project DB Editor | project-db-editor |
False | Project | Role |
Project DB Viewer | project-db-viewer |
False | Project | Role |
Project Viewer | project-viewer |
False | Project | Role |
Project VirtualMachine Admin | project-vm-admin |
False | Project | Role |
Project VirtualMachine Image Admin | project-vm-image-admin |
False | Project | Role |
Secret Admin | secret-admin |
False | Project | Role |
Secret Viewer | secret-viewer |
False | Project | Role |
Service Configuration Admin | service-configuration-admin |
False | Project | Role |
Service Configuration Viewer | service-configuration-viewer |
False | Project | Role |
Vertex AI Prediction User | vertex-ai-prediction-user |
False | Project | Role |
Workbench Notebooks Admin | workbench-notebooks-admin |
False | Project | Role |
Workbench Notebooks Viewer | workbench-notebooks-viewer |
False | Project | Role |
AO persona, predefined identity, and access roles
AO persona | ||||
---|---|---|---|---|
Name | Binding type | Org admin cluster permissions | User cluster permissions | Escalates to |
Project IAM Admin | RoleBinding |
|
N/A | All other AO roles |
AI OCR Developer | RoleBinding |
OCR resources: Read and write | N/A | N/A |
AI Speech Developer | RoleBinding |
Speech resources: Read and write | N/A | N/A |
AI Translation Developer | RoleBinding |
Translation resources: Read and write | N/A | N/A |
Backup Creator | ProjectRoleBinding |
N/A |
|
N/A |
Dashboard Editor | RoleBinding |
Dashboard custom resources: Get, read, create, update, delete, and patch |
N/A | N/A |
Dashboard Viewer | RoleBinding |
Dashboard : Get and read |
N/A | N/A |
K8s NetworkPolicy Admin | ProjectRoleBinding |
NetworkPolicy resources: Create, read, get, update, delete, and patch |
N/A | N/A |
KMS Admin | RoleBinding |
|
N/A | N/A |
KMS Creator | RoleBinding |
AEADKey and SigningKey : Create and read
|
N/A | N/A |
KMS Developer | RoleBinding |
|
N/A | N/A |
KMS Key Export Admin | RoleBinding |
KeyExport resource: Create, read, update, patch, and delete
|
N/A | N/A |
KMS Key Import Admin | RoleBinding |
KeyImport resource: Create, read, update, patch, and delete
|
N/A | N/A |
KMS Viewer | RoleBinding |
AEADKey , SigningKey , KeyImport , KeyExport : Read
|
N/A | N/A |
Marketplace Editor | RoleBinding |
N/A | Service instances: Create, update, and delete | N/A |
MonitoringRule Editor | RoleBinding |
MonitoringRule custom resources: Create, read, update, delete, and patch |
N/A | N/A |
MonitoringRule Viewer | RoleBinding |
MonitoringRule custom resources: Read |
N/A | N/A |
MonitoringTarget Editor | RoleBinding |
MonitoringTarget custom resources: Create, read, update, delete, and patch |
N/A | N/A |
MonitoringTarget Viewer | RoleBinding |
MonitoringTarget custom resources: Read |
N/A | N/A |
Namespace Admin | ProjectRoleBinding |
N/A | All resources: Read and write access in the project namespace, excluding the system cluster | N/A |
NAT Viewer | ProjectRoleBinding |
N/A | Deployments: Get and read | N/A |
ObservabilityPipeline Editor | RoleBinding |
ObservabilityPipeline resources: Get, read, create, update, delete, and patch |
N/A | N/A |
ObservabilityPipeline Viewer | RoleBinding |
ObservabilityPipeline resources: Get and read |
N/A | N/A |
Project Bucket Admin | RoleBinding |
Bucket: Read and write in the project namespace | N/A | N/A |
Project Bucket Object Admin | RoleBinding |
|
N/A | N/A |
Project Bucket Object Viewer | RoleBinding |
Bucket and objects: Read | N/A | N/A |
Project NetworkPolicy Admin | RoleBinding |
Project network policies: Read and write in the project namespace | N/A | N/A |
Project DB Admin | RoleBinding |
|
N/A | N/A |
Project DB Editor | RoleBinding |
|
N/A | N/A |
Project DB Viewer | RoleBinding |
Database versions, flags, maintenance policies, software libraries, backup plans, restores, imports, exports, database clusters, and failovers: Read | N/A | N/A |
Project Viewer | RoleBinding |
All resources in the project namespace: Read | N/A | N/A |
Project VirtualMachine Admin | RoleBinding |
|
N/A | N/A |
Project VirtualMachine Image Admin | RoleBinding |
|
N/A | N/A |
Secret Admin | RoleBinding |
Kubernetes secrets: Read, create, update, delete, and patch | N/A | N/A |
Secret Viewer | RoleBinding |
Kubernetes secrets: Read | N/A | N/A |
Service Configuration Admin | RoleBinding |
ServiceConfigurations : Read and write
|
N/A | N/A |
Service Configuration Viewer | RoleBinding |
ServiceConfigurations : Read
|
N/A | N/A |
Workbench Notebooks Admin | RoleBinding |
N/A |
|
N/A |
Workbench Notebooks Viewer | RoleBinding |
N/A |
|
N/A |
Common predefined identity and access roles
Common roles | ||||
---|---|---|---|---|
Name | Kubernetes resource name | Initial admin | Level | Type |
AI Platform Viewer | ai-platform-viewer |
False | Project | Role |
DB UI Viewer | db-ui-viewer |
False | Project | ClusterRole |
DB Options Viewer | db-options-viewer |
False | Project | ClusterRole |
DNS Suffix Viewer | dnssuffix-viewer |
False | Organization | Role |
Flow Log Admin | flowlog-admin |
False | Organization | ClusterRole |
Flow Log Viewer | flowlog-viewer |
False | Project | ClusterRole |
Marketplace Viewer | marketplace-viewer |
False | Project | ClusterRole |
Pricing Calculator User | pricingcalculator-user |
False | Project | ClusterRole |
Project Discovery Viewer | projectdiscovery-viewer |
False | Project | ClusterRole |
Public Image Viewer | public-image-viewer |
False | Organization | Role |
Virtual Machine Type Viewer | virtualmachinetype-viewer |
True | Organization | OrganizationRole |
VM Type Viewer | vmtype-viewer |
False | Organization | Role |
Common predefined identity and access roles
Common roles | ||||
---|---|---|---|---|
Name | Binding type | Admin cluster permissions | User cluster permissions | Escalates to |
AI Platform Viewer | RoleBinding |
Pre-trained services: Read | N/A | N/A |
DB Options Viewer | ClusterRoleBinding |
DBS configurations: Read | N/A | N/A |
DB UI Viewer | ClusterRoleBinding |
DBS UI configurations: Read | N/A | N/A |
DNS Suffix Viewer | RoleBinding |
DNS suffix config maps: Read | N/A | N/A |
Flow Log Admin | ClusterRoleBinding |
Flow log resources: Get and read | Flow log resources: Get and read | N/A |
Flow Log Viewer | ClusterRoleBinding |
Flow log resources: Create, get, read, patch, update, and delete | Flow log resources: Create, get, read, patch, update, and delete | N/A |
Marketplace Viewer | ClusterRoleBinding |
Service versions and service instances: Read | N/A | N/A |
Pricing Calculator User | ClusterRoleBinding |
N/A | SkuDescriptions : Read |
N/A |
Project Discovery Viewer | ClusterRoleBinding |
Projects: Read | N/A | N/A |
Public Image Viewer | RoleBinding |
VM images: Read | N/A | N/A |
VM Type Viewer | ClusterRoleBinding |
VM types: Read | N/A | N/A |